Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:107872
Return-Path: <benjamin.morel@gmail.com>
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 37713 invoked from network); 27 Nov 2019 01:14:45 -0000
Received: from unknown (HELO php-smtp3.php.net) (208.43.231.12)
  by pb1.pair.com with SMTP; 27 Nov 2019 01:14:45 -0000
Received: from php-smtp3.php.net (localhost [127.0.0.1])
	by php-smtp3.php.net (Postfix) with ESMTP id A2DCD2C8725
	for <internals@lists.php.net>; Tue, 26 Nov 2019 15:09:31 -0800 (PST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on php-smtp3.php.net
X-Spam-Level: 
X-Spam-Status: No, score=-0.6 required=5.0 tests=BAYES_05,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,FREEMAIL_FROM,HTML_MESSAGE,RCVD_IN_DNSWL_NONE,
	SPF_HELO_NONE autolearn=no autolearn_force=no version=3.4.2
X-Spam-ASN: AS3215 2.6.0.0/16
X-Spam-Virus: Error (Cannot connect to unix socket
	'/var/run/clamav/clamd.ctl': connect: Connection refused)
Received: from mail-io1-xd2c.google.com (mail-io1-xd2c.google.com [IPv6:2607:f8b0:4864:20::d2c])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by php-smtp3.php.net (Postfix) with ESMTPS
	for <internals@lists.php.net>; Tue, 26 Nov 2019 15:09:31 -0800 (PST)
Received: by mail-io1-xd2c.google.com with SMTP id b26so20704256ion.7
        for <internals@lists.php.net>; Tue, 26 Nov 2019 15:09:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=wYd6ynNMPIFXPncs+p8YmZVII4k2BAPthF87Gvj+7Ps=;
        b=ltE7TUO6E88V1lJiPjgz85RZyy82Sw/PucEjU7+lH4Kt1cDTynx80YXgM58i0BRw5Z
         gFsvF2RtNkEHq7Pa3bk1taVrKxS5GW8wICUkJstxtv/XMl/56N/px/BFrB+/GsbwZ/TM
         /eKj524ao7vICIUzVdx67d7oBmsW7u3IzQ4Qg4Ypn4XK+QLmaSFIuqXFIow3TF7+huNF
         Tg5k/VAxBKpu0R3PmfM0XM5n8pnpqTzc2KV2I2TanLh4M6Wt6l+0sEQmIE32azYfrHOQ
         b8Oq6t/Y7mIQYvOzp/k9OSbA9VmXGdN7R9xCCcemCewEMUtgm+4snn5THGOp1wV/rVKf
         Djzg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=wYd6ynNMPIFXPncs+p8YmZVII4k2BAPthF87Gvj+7Ps=;
        b=Otzs5DJFb/qfOdhjKrfqQSdfhPv30ao+kXUCbSX6EiUfj97nvq04FGD2nmfug+cA+V
         R+byxO91G9blNl9PyKXDsAsBUqul8nOIB7uX46qmB9sZEFnFFt+OpZAAC1P1/X4oOIkz
         2YgC0PmSy7gZ+PcowDxDlicQyxJEuMJnNEgvgCatHF3UM4uOOQg6qMT/Zk8cY8m1xWhr
         B5drJoZY+HQ5WNpZNWFAWfd+Baq3Qt8Fq0RbMBQN3uGY3GTk00TQpJtMbtrnmTxahksm
         8R1Gogm4j1R5po30W5wY7yj2oO7hFeAJNHfGBHLHSBfkyiqUmJNwdzp9Fi7Y4y8AITfa
         NY5w==
X-Gm-Message-State: APjAAAWXsDZgADCgQFIG89r8hm/L0q9C7ZhbGbydU/wiT7+F1+fEONAq
	/rffIXrqNzCI12e1wu9p/r53zTz3k80tljr+cUg=
X-Google-Smtp-Source: APXvYqyRUv9xBHXykyIFChL70QyYek9r5uIAD8KMQJ6io/cXQcru6bsG3qrVzVY0TiQlNJE1aOq0paYwF3jDDDaAR20=
X-Received: by 2002:a5e:9249:: with SMTP id z9mr3400909iop.36.1574809770427;
 Tue, 26 Nov 2019 15:09:30 -0800 (PST)
MIME-Version: 1.0
References: <CAAupm8h5Aa4EmnGnHX1iVgcQTCpmW-3yD4e6m7aouZFiSCtGrA@mail.gmail.com>
 <05388310-2c80-2b42-a564-0fda2b6a2396@gmail.com> <CAAupm8gDxAjiW0Ox7jWAC0fEKUwSwYPA27NjHUawTVFd8RDc1w@mail.gmail.com>
In-Reply-To: <CAAupm8gDxAjiW0Ox7jWAC0fEKUwSwYPA27NjHUawTVFd8RDc1w@mail.gmail.com>
Date: Wed, 27 Nov 2019 00:09:18 +0100
Message-ID: <CAG9XoMRf9kEQ2xFOZ_jVxmdxgg3qa4e5iyDc9ZN2rN2C3UktRg@mail.gmail.com>
To: Ian Littman <iansltx@gmail.com>
Cc: Stanislav Malyshev <smalyshev@gmail.com>, PHP internals <internals@lists.php.net>
Content-Type: multipart/alternative; boundary="000000000000f487df059847f8cd"
X-Envelope-From: <benjamin.morel@gmail.com>
Subject: Re: [PHP-DEV] Let's allow eval() to be turned off in PHP 8
From: benjamin.morel@gmail.com (Benjamin Morel)

--000000000000f487df059847f8cd
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

>
> One interesting thing with item #1 is that it allows for remote arbitrary
> code execution even if no include-able path on a server is writable. This
> comes into play if there's a supply chain attack on your app. Say, an
> infected update on a CMS plugin. Get an eval() of a file_get_contents() o=
f
> a URL into the code and...well, you get code execution that (if you're
> lucky) only leaves a trace in logs. If you have to write a file somewhere
> first, then include it, you've got a bit more of a footprint.



You don't have to hit disk, or have any writable path. You can just create
a stream wrapper <https://www.php.net/manual/en/class.streamwrapper.php>
that stores the "files" in memory, and include them as you would include a
regular file.


Can you work around these restrictions? Yep, but it takes a bit more effort
> than the current setup. It doesn't make a server secure by any stretch, b=
ut
> it reduces its attack surface slightly, and reduces the universe of
> malicious code that won't error out, forcing malefactors to work just a b=
it
> harder.



Disabling eval() really doesn't reduce the attack surface at all, if you
ask me. Malefactors will quickly & easily adapt their tools, that script
kiddies will use as before.


=E2=80=94 Benjamin

--000000000000f487df059847f8cd--